Re: [IPsec] New PAKE Criteria draft posted (def. of gateway)
"Kaz Kobara" <kobara_conf@m.aist.go.jp> Sat, 27 March 2010 18:03 UTC
Return-Path: <kobara_conf@m.aist.go.jp>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3ACEE3A6A1D for <ipsec@core3.amsl.com>; Sat, 27 Mar 2010 11:03:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.04
X-Spam-Level: *
X-Spam-Status: No, score=1.04 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JAowOv+EUoFc for <ipsec@core3.amsl.com>; Sat, 27 Mar 2010 11:03:53 -0700 (PDT)
Received: from mx1.aist.go.jp (mx1.aist.go.jp [150.29.246.133]) by core3.amsl.com (Postfix) with ESMTP id C55353A6A25 for <ipsec@ietf.org>; Sat, 27 Mar 2010 10:59:44 -0700 (PDT)
Received: from rqsmtp1.aist.go.jp (rqsmtp1.aist.go.jp [150.29.254.115]) by mx1.aist.go.jp with ESMTP id o2RI074R024389 for <ipsec@ietf.org>; Sun, 28 Mar 2010 03:00:07 +0900 (JST) env-from (kobara_conf@m.aist.go.jp)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=m.aist.go.jp; s=aist; t=1269712808; bh=ZwAx8/HVlwgKSJxrqYjZwfinhLwcXaBCV94qeNvuuhc=; h=From:Date:Message-ID; b=RHvZKtfKlUnUeMUVrgq0FAi2/oa3YCgba6b39rnbXNYuSnkH1U+v4fIclgrSIrJt7 wrE3XcSGrTCytDnZv/mcjegnqO9Fv+GZ5jvw8tgyt1Pqa8VSd7KglU0Cq5ln5XcQP7 HX5y8Rr2NM+UOZkIkZX+iImYf0NOkG0fG2qEQmbQ=
Received: from smtp3.aist.go.jp by rqsmtp1.aist.go.jp with ESMTP id o2RI07Zh026292 for <ipsec@ietf.org>; Sun, 28 Mar 2010 03:00:07 +0900 (JST) env-from (kobara_conf@m.aist.go.jp)
Received: by smtp3.aist.go.jp with ESMTP id o2RI06EH006890 for <ipsec@ietf.org>; Sun, 28 Mar 2010 03:00:06 +0900 (JST) env-from (kobara_conf@m.aist.go.jp)
From: Kaz Kobara <kobara_conf@m.aist.go.jp>
To: ipsec@ietf.org
References: <015701cacc74$9b0f3c20$d12db460$@aist.go.jp> <4BAC4283.9010002@gmail.com> <018001cacd04$d59efc50$80dcf4f0$@aist.go.jp> <4BAE10BC.7090401@gmail.com>
In-Reply-To: <4BAE10BC.7090401@gmail.com>
Date: Sun, 28 Mar 2010 03:00:05 +0900
Message-ID: <001001cacdd7$557f0190$007d04b0$@aist.go.jp>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcrNtpMmMMIoC/ViRI+gPGrJRa/rwAAIJx9Q
Content-Language: ja
Subject: Re: [IPsec] New PAKE Criteria draft posted (def. of gateway)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Mar 2010 18:03:55 -0000
> between gateways, people abuse > PSK authentication by using it with short passwords. I agree, but what I wanted to say was this is also true (and even worse) "between clients and gateways". > -----Original Message----- > From: Yaron Sheffer [mailto:yaronf.ietf@gmail.com] > Sent: Saturday, March 27, 2010 11:06 PM > To: Kaz Kobara > Cc: ipsec@ietf.org > Subject: Re: [IPsec] New PAKE Criteria draft posted (def. of gateway) > > Hi Kaz, > > the deployment experience has been that between gateways, people abuse > PSK authentication by using it with short passwords. Even though in > principle they could do better. > > Thanks, > Yaron > > On 26.3.2010 19:53, Kaz Kobara wrote: > > Hi Yaron > > > > Thank you for your clarification. > > > >> "between gateways" as opposed to > >> "between clients and gateways". So your assertion is correct. > > > > (Between gateways, administrators can set long secrets, so the necessity > of > > PAKE seems smaller than between clients and gateways where passwords are > > recorded in the gateways and users have to type the passwords.) > > > > Anyway, if the scope is limited only on "between gateways" but not "between > > clients and gateways," the title > > "Password-Based Authentication in IKEv2: Selection Criteria and > Comparison" > > seems misleading (since this itself misinforms that this criteria may > be > > applied to IKEv2 in any cases), and the above should be clearly mentioned > in > > the document. > > > > Kaz > > > >> -----Original Message----- > >> From: Yaron Sheffer [mailto:yaronf.ietf@gmail.com] > >> Sent: Friday, March 26, 2010 2:14 PM > >> To: Kaz Kobara > >> Cc: ipsec@ietf.org > >> Subject: Re: [IPsec] New PAKE Criteria draft posted (def. of gateway) > >> > >> Hi Kaz, > >> > >> I *thought* my intention was clear: "between gateways" as opposed to > >> "between clients and gateways". So your assertion is correct. > >> > >> Thanks, > >> Yaron > >> > >> On 26.3.2010 1:40, Kaz Kobara wrote: > >>> Hi Yaron > >>> > >>>> draft-sheffer-ipsecme-pake-criteria-02.txt says in Page 4 > >>>> "This document is limited to the use of password-based authentication > >> to > >>>> achieve trust between gateways" > >>> > >>> I would like to make sure that > >>> "gateway" in this document does not encompass VPN clients and hosts, > > right? > >>> > >>> Kaz > >>> > >>>> -----Original Message----- > >>>> From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On > Behalf > >> Of > >>>> Yaron Sheffer > >>>> Sent: Friday, March 26, 2010 3:31 AM > >>>> To: SeongHan Shin > >>>> Cc: IPsecme WG; Kazukuni Kobara > >>>> Subject: Re: [IPsec] New PAKE Criteria draft posted > >>>> > >>>> Hi Shin, > >>>> > >>>> Yes. For the typical remote access VPN, EAP is typically more useful. > >>>> Note that there is still need for strong password-based mutual > >>>> authentication EAP methods - but their home is the EMU working group. > >>>> > >>>> In addition, the IPsecME has another charter item designed to fit such > >>>> EAP methods (such as the future EAP-AugPAKE :-) into IKEv2. > >>>> > >>>> Please see again the group's charter, > >>>> http://tools.ietf.org/wg/ipsecme/charters. > >>>> > >>>> Thanks, > >>>> Yaron > >>>> > >>>> On 25.3.2010 20:07, SeongHan Shin wrote: > >>>>> Dear Yaron Sheffer, > >>>>> > >>>>> I have one question about the draft. > >>>>> > >>>>> draft-sheffer-ipsecme-pake-criteria-02.txt says in Page 4 > >>>>> "This document is limited to the use of password-based authentication > >>>> to > >>>>> achieve trust between gateways" > >>>>> > >>>>> Is this a consensus of this WG? > >>>>> > >>>>> Best regards, > >>>>> Shin > >>>>> > >>>>> On Thu, Mar 25, 2010 at 3:46 PM, Yaron Sheffer<yaronf.ietf@gmail.com > >>>>> <mailto:yaronf.ietf@gmail.com>> wrote: > >>>>> > >>>>> Hi, > >>>>> > >>>>> after the good discussion in Anaheim, and with the help of > > comments > >>>>> received on and off the list, I have updated the PAKE Criteria > >> draft > >>>>> and posted it as > >>>>> > >>>> http://www.ietf.org/id/draft-sheffer-ipsecme-pake-criteria-02.txt. > >>>>> > >>>>> I have added a number of criteria, clarified others, and added > >>>>> numbering (SEC1-SEC6, IPR1-IPR3 etc.). > >>>>> > >>>>> Thanks, > >>>>> Yaron > >>>>> _______________________________________________ > >>>>> IPsec mailing list > >>>>> IPsec@ietf.org<mailto:IPsec@ietf.org> > >>>>> https://www.ietf.org/mailman/listinfo/ipsec > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> -- > >>>>> > ------------------------------------------------------------------ > >>>>> SeongHan Shin > >>>>> Research Center for Information Security (RCIS), > >>>>> National Institute of Advanced Industrial Science and Technology > >> (AIST), > >>>>> Room no. 1003, Akihabara Daibiru 10F, > >>>>> 1-18-13, Sotokannda, Chiyoda-ku, Tokyo 101-0021 Japan > >>>>> Tel : +81-3-5298-2722 > >>>>> Fax : +81-3-5298-4522 > >>>>> E-mail : seonghan.shin@aist.go.jp<mailto:seonghan.shin@aist.go.jp> > >>>>> > ------------------------------------------------------------------ > >>>> _______________________________________________ > >>>> IPsec mailing list > >>>> IPsec@ietf.org > >>>> https://www.ietf.org/mailman/listinfo/ipsec > >>> > >>> > >>> _______________________________________________ > >>> IPsec mailing list > >>> IPsec@ietf.org > >>> https://www.ietf.org/mailman/listinfo/ipsec > > > > _______________________________________________ > > IPsec mailing list > > IPsec@ietf.org > > https://www.ietf.org/mailman/listinfo/ipsec
- Re: [IPsec] New PAKE Criteria draft posted (def. … Kaz Kobara
- Re: [IPsec] New PAKE Criteria draft posted (def. … Dan Harkins
- Re: [IPsec] New PAKE Criteria draft posted (def. … Yaron Sheffer
- Re: [IPsec] New PAKE Criteria draft posted (def. … Yaron Sheffer
- Re: [IPsec] New PAKE Criteria draft posted (def. … Dan Harkins
- Re: [IPsec] New PAKE Criteria draft posted (def. … Kaz Kobara
- Re: [IPsec] New PAKE Criteria draft posted (def. … Dan Harkins
- Re: [IPsec] New PAKE Criteria draft posted (def. … Yaron Sheffer
- Re: [IPsec] New PAKE Criteria draft posted (def. … Yaron Sheffer
- Re: [IPsec] New PAKE Criteria draft posted (def. … Kaz Kobara
- Re: [IPsec] New PAKE Criteria draft posted (def. … Dan Harkins
- Re: [IPsec] New PAKE Criteria draft posted (def. … Dan Harkins
- Re: [IPsec] New PAKE Criteria draft posted (def. … Yaron Sheffer
- Re: [IPsec] New PAKE Criteria draft posted (def. … Yaron Sheffer
- Re: [IPsec] New PAKE Criteria draft posted (def. … Dan Harkins
- Re: [IPsec] New PAKE Criteria draft posted (def. … Kaz Kobara
- Re: [IPsec] New PAKE Criteria draft posted (def. … Yaron Sheffer
- Re: [IPsec] New PAKE Criteria draft posted (def. … Yaron Sheffer
- Re: [IPsec] New PAKE Criteria draft posted (def. … Kaz Kobara
- Re: [IPsec] New PAKE Criteria draft posted (def. … Yaron Sheffer
- Re: [IPsec] New PAKE Criteria draft posted (def. … Paul Hoffman
- Re: [IPsec] New PAKE Criteria draft posted (def. … Tero Kivinen
- Re: [IPsec] New PAKE Criteria draft posted (def. … Raj Singh
- Re: [IPsec] New PAKE Criteria draft posted (def. … Yaron Sheffer
- Re: [IPsec] New PAKE Criteria draft posted (def. … Raj Singh
- Re: [IPsec] New PAKE Criteria draft posted (def. … Yaron Sheffer